Threat Hunting Vs SIEM use cases

When I ran into the phrase “threat hunting” 5 years ago, I was confused. It was being treated as, and talked about, as some sort of highly specialised activity requiring special skills and techniques. But I saw it as the basic, fundamental activity of a security analyst: you review the logs, look for anomalies, and chase down things that don’t look right.

And from that angle, there is no difference between doing that and devising new SIEM use cases, except that a SIEM use case automates the specific process.

However, the term “threat hunting” has been mutated beyond its original meaning, just like people use the term “AI” when they really mean “statistical analysis”. Threat hunting can mean “log analysis” in some contexts or it can mean “discovering something no one has discovered before”.

Threat hunting is a free-form exploration of complex data to look for anomalous patterns. In its pure form, it cannot be automated.

A SIEM automates specific searches and analyses, usually based on the results of threat hunting where it is possible to look for a specific pattern. SIEMs can’t find a novel pattern within complex data; humans can.

So, there is overlap between the two activities and one can lead to the other.

Threat Hunting Vs SIEM USE CASE

Lately I’m confused about threat hunting vs SIEM Use case creation
So far the threat hunting resources I have read, can be created as a SIEM Use case then why should I
perform it manually in the name of hunting!!!
How exactly hunting differs from SIEM Use case

threat modeling – I’m going to install the siem solution

Currently, there are too few ways to monitor security issues in the current company..

Security solutions such as NDR, IPS, and WAF exist, but since there is no SIEM, the log must be checked on the equipment one by one.

Therefore, if the current accident occurs, if the infrastructure engineer is lucky enough to check the equipment’s log only then.

I have a plan to build SIEM, write correlation rules, and link important events to opsgenie, slack, jira, etc.

I have only used arcsight, but it is difficult to purchase arcsight due to current budget issues.

In addition to NDR, IPS, WAF, and other cloud logs such as AWS and GCP are also planned to be integrated to monitor, confirming that there are SIEs such as sumologic, datadog, splunk, and Log Rhythm.

The main targets to be monitored are IPS and IDS, and the correlation will be mainly Event Name and IP to create rules.

arcsight was very easy to create these rules, but do other logarithmic solutions provide this as well?

Elasticsearch was also used internally, so Elasticsearch first attempted to use it, but Elasticsearch was quick and useful in retrieving certain events, but it was impossible to trigger correlated rules.

Recently, x-pack has siem function, but I couldn’t make the rules I wanted.

I want to trigger an alert when 2 events (B -> C) occur after 1 event (A -> B). Do most SIEMs basically provide this?

Should I use UDP or TCP for logging to a SIEM?

We have an application that runs on hundreds of users’ computers on our company’s internal network. We want to start sending logs from this app to a SIEM (Graylog). We have decided to add code to our app that sends logs from the app to the SIEM directly. The only question is, should we use UDP or TCP to send the logs? My preference is to use TCP because of the reliability, but what happens if the SIEM goes offline — won’t that cause our app to block, thus slowing down our entire system? I am very curious about how other companies handle this situation. I have read a few guides online, and most recommend TCP because of the reliability but none address the blocking issue.

logging – Need to make changes in logs received by SIEM

logging – Need to make changes in logs received by SIEM – Information Security Stack Exchange

Open Source SIEM Case Management


I’m wondering if there are any open source SIEM case management platforms (e.g. the case management in Logrhythm SIEM)?

I need to integrate my SIEM with case management; so I can link the alarms with cases.

Thanks in advance.

What are the specific differences between UEBA and SIEM? [closed]

I have explored UEBA products in recent days. I just want to know its real difference with SIEM.

siem – Splunk Join search with time problem

Case of research:

Join the search between two sources (IPS log and DHCP)

IPS log: threat, IP, hostname

DHCP Log: IP, hostname

Purpose: The search for the IP address of the host is triggered in IPS. Whereas DHCP provides the same IP to multiple hosts.

index=ips | join IP type=inner (search index=dhcp | fields _time,IP,HOSTNAME) | stats count by Threat,IP,Hostname

Problem: Get only the last value of my DHCP index.
If IP x.x.x.x was used by three hosts during the day: the host A, the host B and the host C.
Host B is the host that was triggered in IPS at 12 pm, but Host C is the last host that used the IP at 4 pm.

Now, when I check my search at 5 pm, it shows that the threat in IPS was triggered at 12 o'clock with the host name as host C, which is wrong.
He must show the host B.

Is there a way to solve this problem so that the correct host is displayed for the IPS threat?

siem – Where can I download examples of security log file archives?

I propose to help some people to teach Splunk to analyze the diaries with the help of SIEM. Therefore, I will need public log file archives such as auditd, secure.log, firewall, webapp logs, which I can use to upload to the Splunk instance and write queries. on this subject.

Do you have a place where you know I can download this type of log file?

content security policy – Question about SIEM

The company I work with has a SIEM that detects when you are trying to install software on any workstation. If one of the employees tries to install the wrong software, the SIEM triggers an alert. To work around this problem, my friends at work usually download software from their laptop.
Has the SIEM made a false negative in this situation?

DreamProxies - Cheapest USA Elite Private Proxies 100 Private Proxies 200 Private Proxies 400 Private Proxies 1000 Private Proxies 2000 Private Proxies - Buy Cheap Private Proxies Buy 50 Private Proxies Buy 100 Private Proxies Buy 200 Private Proxies Buy 500 Private Proxies Buy 1000 Private Proxies Buy 2000 Private Proxies ProxiesLive New Proxy Lists Every Day Proxies123